[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

Here is the breakdown for vendor acknowledgement:

1068 had no clear public acknowledgement, or none at all.  1283 had
acknowledgement.  15 were disputed by the vendor.

I.e., 45% of vulnerabilities that were identified in CVE have no clear
public acknowledgement by the vendor.

For at least 100 of the issues with no acknowledgement, the reporter
who disclosed the vulnerability either said that the vendor was aware
of it, or pointed to a patch for which there were no followup
discussions that confirmed whether the patch was successful or not.

In approximately 20 cases, the vendor may have said something very
minimal like "fixed security issue" which was not enough evidence for
us to be sure they were fixing the issue that *we* cared about.

Note: we cannot tell when a vendor provides a fix to customers only as
part of a private upgrade - that's not "public" acknowledgement (which
affects security professionals who aren't customers) - but private
upgrade messages are sometimes forwarded to public forums such as
Bugtraq.

- Steve

Prev by Date: [no subject]
Next by Date: [no subject]
Previous by thread: [no subject]
Next by thread: [no subject]
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.